Stuxnet: new light through old windows

Very few pieces of malware have garnered the same kind of worldwide attention as Stuxnet – the computer worm used as a cyber weapon to attack Iran’s uranium enrichment facility in Natanz.

Even several years, after its discovery, new details that shine light on the scope of the attack keep emerging.

An article and white-paper (To Kill a Centrifuge), published by Ralph Langner last week intend to set the record straight and correct some misconceptions about Stuxnet.

The fact is we already knew about previous versions of Stuxnet earlier this year when Symantec published their report titled Stuxnet 0.5: The Missing Link.

But what makes Langner’s analysis so worthy is his background and knowledge about industrial systems, specifically the fact he spent several years studying the particularities of the nuclear plant at Natanz.

Stuxnet was first uncovered in June 2010 by a small antivirus firm from Belarus (and more specifically by Sergey Ulasen who now works for Kaspersky). This is the version that made centrifuges spin faster than they should, thereby causing early failures and driving Iranian engineers crazy looking for causes.

That version of Stuxnet was highly sophisticated and widely accepted as being created by a nation states with cyber capabilities (such as the US and Israel). However, it was also very noisy and therefore didn’t stay undetected for long.

An earlier version, with a totally different infection vector and payload almost went undiscovered, if it wasn’t for a sample found on the multiple antivirus engines scanner VirusTotal, showing it had been active since at least 2007.

This earlier Stuxnet did not use those fancy zero-days to infect its target but rather exploited a vulnerability in Siemens’ SIMATIC STEP 7 DLL.

Once active, it went to great lengths to remain undetected by replaying a pre-recorded scenario of “normal” events on the monitoring screens while doing its thing.

Unlike the rotor speed attack, this variant’s method was to cause over pressure by manipulating isolation and exhaust valves with the ultimate goal of causing too much stress on the rotors, forcing them into early retirement.

Langner’s paper confirms the attacker’s identity but the insight he gives into their actual motive may surprise some. According to him, the capability was there to cause massive damage all in one go but instead the attacker took great care not to go for it, at least not in such a way.

Stuxnet counts as the most aggressive cyber-physical attack ever documented and perhaps most misunderstood one. For instance, Stuxnet did not ‘escape’ the Natanz facility by using the Internet. Instead, it propagated through network shares which ultimately got out of Iran, thanks to unwitting contractors.

Langner has a very critical stance against antivirus vendors and other defensive technologies such as Intrusion Detection Systems.

Without a specific signature, the original Stuxnet worm would probably never have been discovered. It just happened that the second version was sloppy enough to contain its predecessor’s routines within its source code, eventually leading to a match found in Virustotal.com’s records.

Finally, Langner concludes on the difficulty to defend cyber-attacks by making a good point about cyber-offense and cyber-defence.The former can be achieved through the typical military protocols given a budget. The latter is much more difficult

“Cyber defense of critical national infrastructure is expected to be implemented voluntarily by a dispersed private sector that feels little desire to address matters of national security by ill-coordinated risk management exercises that negatively affect the bottom line,” Langner stated.

For those interested in cyber-warfare and malicious code, I highly recommend reading this white-paper.

_________________________________________________________________

Jerome Segura (@jeromesegura) is a senior security researcher at Malwarebytes.